The new backdoor seen in government cyber spyware attacks uses the Windows BITS (Background Intelligent Transfer Service) component to hide the traffic it exchanges with the command server.

According to cybersecurity researchers, they know the group behind the new backdoor.

Her name is Stealth Falcon.

Experts have been monitoring the activity of these attackers for several years.

To date, the only Stealth Falcon operations report is from Citizen Lab, a nonprofit organization specializing in protecting human rights.

The report dates from 2016.

Citizen Lab experts claim that this group has been operating since 2012.

Her attacks previously used a different backdoor inscribed on PowerShell.

However, in a study published on September 9 by ESET experts, Stealth Falcon switched to using a new tool, and it is even more sophisticated and secretive.

The main method used by the backdoor to hide its activities in the system is the Windows component, known by the acronym BITS.

BITS is a background file transfer service between a client and a server.

Revealing a new trojan, ESET employees named it Win32 / StealthFalcon.

According to them, the malware works as a standard backdoor, allowing operators to download and run code or extract data, sending them to the attackers server.

ESET emphasized that Win32 / StealthFalcon interacts with the command center (C&C) not through classic HTTP or HTTPS requests, but by hiding traffic inside BITS.

Researchers believe that this approach allows criminals to bypass firewalls – after all, everyone is used to the fact that BITS traffic contains only software updates, and therefore it is most often ignored.